I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

steal customer data, but those days of relative comfort may be coming to an end.

Researchers at AV-TEST, an independent organization that tests antimalware and security software, announced this week they had discovered 139 samples of malware that "appear to be related to recently reported CPU vulnerabilities." While the good news is that most of the malware samples appear to be based on previously published proof-of-concepts from security researchers, the bad news is that AV-TEST's latest findings show the number of unique samples has risen sharply in recent weeks.

The organization had previously reported the discovery of 77 unique samples of Meltdown and Spectre malware on January 17. At that time, AV-TEST said via Twitter that all identified samples were "original or modified PoC code" and that the majority of the samples were for Spectre rather than Meltdown. AV-TEST posted another update on Jan. 23 showing the unique malware samples had risen to 119.

Andreas Marx, CEO of AV-TEST, told SearchSecurity he believes malware authors are still in the "research phase" of developing attacks based on Meltdown and Spectre. "Most of the samples appear to be recompiled/extended versions of the POCs," Marx said via email. "Interestingly, for various platforms like Windows, Linux and MacOS. Besides this, we also found the first JavaScript POC codes for web browsers like Internet Explorer, Chrome or FireFox in our database now."

After analyzing most of those samples, Fortinet's FortiGuard Labs published a report Tuesday saying it was "concerned" about the potential of Meltdown and Spectre malware attacking users and enterprises.

"FortiGuard Labs has analyzed all of the publicly available samples, representing about 83 percent of all the samples that have been collected [by AV-TEST], and determined that they were all based on proof of concept code," the research team wrote. "The other 17 percent may have not been shared publicly because they were either under NDA or were unavailable for reasons unknown to us."

Marx, however, said the growing number of samples aren't cause for alarm just yet. "The increase, and also the total number of samples, is still rather small," Marx said. "Just as a comparison: we're receiving about 340,000 to 350,000 unique malware samples per day, so the samples related to Spectre/Meltdown are not significant yet."

Marx added that he "wouldn't be surprised if we see the first targeted attacks, or even more widespread malware, in near future," but cautioned that widespread attacks will only happen if threat actors find an easier way to exploit the Meltdown and Spectre vulnerabilities. Currently, he said, ransomware or cryptojacking exploits are much easier to use and offer a better return on investment.

In addition to analyzing Meltdown and Spectre malware samples, Fortinet also released several antivirus signatures to help users defend against those samples. But detecting other exploits related to these chip vulnerabilities could prove extremely difficult. While Intel and AMD have said there is no evidence the flaws have been exploited in the wild, the researchers who discovered the chip vulnerabilities say it's "probably not" possible for organizations or users to tell whether Meltdown and Spectre have been used against them.

"The exploitation does not leave any traces in traditional log files," according to an FAQ on the Meltdown and Spectre research site.

Defending against possible Meltdown and Spectre malware has been further complicated by patch issues. Intel recently announced it was pulling its microcode updates for the chip vulnerabilities because of reboot problems on systems running Intel's Broadwell and Haswell processors. Microsoft later issued an out-of-band patch that disabled Intel's update for variant 2 of the Spectre vulnerability, which involves branch target injection.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.